Blog

Electronic voting seems to be popping up again thanks to our favorite digital ostrich, Diebold. Martin Mckeay’s also writing on this a bit, and it’s well worth reading. This isn’t the first time I’ve mentioned this, and I didn’t come up with the idea, but with the most recent Diebold gossip I think it bears repeating. Gambling systems, electronic or physical, undergo extensive testing, validation, and auditing. We’re not just talking hacking, they shock the darn things with cattle prods and attack them using such phenomenally creative techniques that I’m awestruck the few

I’m out on the road this week, right now spending two days at a strategic planning session with a large energy company. This is the kind of trip I actually enjoy- working with an end-user on strategic issues at the executive level where they really want to solve the problem. The theme of the day is major disruptions- how to stay in business in the face of massive disasters that go well beyond disaster recovery. I’m just one of about a dozen outsiders brought in to try and get people thinking in new directions. Someone saw one of

A few months ago I picked up a Western Digital external hard drive at Costco since my MacBook’s internal drive was a bit stuffed with digital photos. The WD drive is a pretty nice USB drive and really portable. The problem? I started having some intermittent failures on the drive. Since this is where I now keep my wedding photos (backed up somewhere else, of course) I decided to return it before it totally died on me. I got the replacement drive, packed up the original, and heading to the shipping store… … where I realized I hadn’t wiped

I’m sitting in the Martini Monkey in San Jose airport, by far the best airport bar in history and possibly my favorite bar anywhere in the US. This place is a seriously funky oasis for those of us banished to the purgatory of airport terminals and solitary $10 crap beers in our hotel rooms. Okay, I might be on my 2nd-ish beer. I just spent the past two days working with clients out in the Valley area. Both are security startups, both are in pretty exciting markets, and I’ve worked with both for a while now. One is about

It’s been a while since Richard Stiennon and I worked together, and I’m learning one of the more enjoyable aspects of blogging is the opportunity to pick on him again. In a post today over at Threat-Chaos Richard states, Most of the premise of this week’s Security Standard conference in Boston appears to be that CIO’s, CSO’s and IT security practitioners have to treat security as a business process just like any other. My perspective is that treating IT security like a business process is like treating a tactical military strike force as a business.

Last Friday I was packing up for a weekend trip with my wife to Tuscon when my faithful RSS reader chased me down with the latest post on Daring Fireball. I ignored it over the weekend, but think it’s time for a response. John Gruber, ever the poker player (his words, not mine) issued an open challenge to Dave Maynor and John Ellch to crack a stock MacBook. If they win, they keep it. If they can’t break in, they pay Gruber the retail price. Today John Gruber followed up with this post, upping the ante a bit

Really amusing considering our current discussions: How to Handle Security Problems in Your Products This is from Thomas H. Ptacek who’s blogging at matasano.com. I’m not sure how old it is. Ptacek seems to think I’m smart (which I’ll never argue with) but have nothing new to say on disclosure. He’s probably right, but since we still don’t have industry consensus around disclosure there’s still words to be written, and old thoughts to be repackaged in new ways. This is a pretty old debate; one where I don’t expect resolution just

There are very few genuine, passionate people in this world. Today, with the death of Steve Irwin, there is one less. http://www.cnn.com/2006/SHOWBIZ/TV/09/04/australia.irwin/index.html http://animal.discovery.com/fansites/crochunter/steve/statement.html?clik=www_wh_2 Steve was a personal hero of mine. Not because of any crazy stunts, but because of his integrity, honesty, and utter dedication to his family and what he believed in. This is just a terrible loss and the only ones that matter now are his family. Although I never met Steve I was fortunate enough to visit

Rich, It feels heretical, but I can agree that obscurity can provide some security. The problem comes when people count on secrecy as their only or primary security. Jim: “Oh, we don’t have to encrypt passwords. Sniffing is hard!”
Bob: “Hey, thank you for those credit card numbers!”
Jim: “What?”
Bob: “Ha ha, my friend Joe got a job at your ISP about a year ago, and started looking for goodies.” Vendor: “Nobody will ever bother looking in the MySQL DB for the passwords.”
Cracker: “0WNED! Thank you, and let’s see how many of your users use the

Contact

About

Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster by helping you cut through the noise and providing clear, actionable, pragmatic advice on securing your organization.